Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
symfony twig vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-46734
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure the...
Sensiolabs Symfony
Sensiolabs Twig
NA
CVE-2023-22731
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP functi...
Shopware Shopware
NA
CVE-2022-39261
Twig is a template language for PHP. Versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary f...
Symfony Twig
Drupal Drupal
Fedoraproject Fedora 35
Fedoraproject Fedora 36
Fedoraproject Fedora 37
Debian Debian Linux 10.0
Debian Debian Linux 11.0
1 Github repository
7.5
CVSSv2
CVE-2022-23614
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to co...
Symfony Twig
Fedoraproject Fedora 34
Fedoraproject Fedora 35
Debian Debian Linux 11.0
2 Github repositories
4.3
CVSSv2
CVE-2019-9942
A sandbox information disclosure exists in Twig prior to 1.38.0 and 2.x prior to 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
Symfony Twig
Debian Debian Linux 9.0
7.5
CVSSv2
CVE-2018-13818
Twig prior to 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it
Symfony Twig
6.8
CVSSv2
CVE-2015-7809
The displayBlock function Template.php in Sensio Labs Twig prior to 1.20.0, when Sandbox mode is enabled, allows remote malicious users to execute arbitrary code via the _self variable in a template.
Symfony Twig
5
CVSSv2
CVE-2001-1537
The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and previous versions stores cleartext usernames and passwords in cookies, which could allow malicious users to obtain authentication information and gain privileges.
Symfony Twig
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started